Sanitize input so it's safer (#168)

* sanitize

* sanitize json pointer

* correct defaults for props

* correctly escape regexp

* Correct sanitize multiple slashes

* last round of feedbacks

Author: mcollina

index.js

@@ -2,6 +2,7 @@
 
 var Ajv = require('ajv')
 var merge = require('deepmerge')
+var util = require('util')
 var validate = require('./schema-validator')
 
 var uglify = null
@@ -310,7 +311,7 @@ function addPatternProperties (schema, externalSchema, fullSchema) {
     }
     var type = pp[regex].type
     code += `
-        if (/${regex}/.test(keys[i])) {
+        if (/${regex.replace(/\\*\//g, '\\/')}/.test(keys[i])) {
     `
     if (type === 'object') {
       code += buildObject(pp[regex], '', 'buildObjectPP' + index, externalSchema, fullSchema)
@@ -505,13 +506,27 @@ function refFinder (ref, schema, externalSchema) {
       return dereferenced
     } else {
       for (var i = 1; i < walk.length; i++) {
-        code += `['${walk[i]}']`
+        code += `['${sanitizeKey(walk[i])}']`
       }
     }
   }
   return (new Function('schema', code))(schema)
 }
 
+function sanitizeKey (key) {
+  const rep = key.replace(/(\\*)'/g, function (match, p1) {
+    var base = ''
+    if (p1.length % 2 === 1) {
+      base = p1.slice(2)
+    } else {
+      base = p1
+    }
+    var rep = base + '\\\''
+    return rep
+  })
+  return rep
+}
+
 function buildCode (schema, code, laterCode, name, externalSchema, fullSchema) {
   Object.keys(schema.properties || {}).forEach((key, i, a) => {
     if (schema.properties[key]['$ref']) {
@@ -523,49 +538,51 @@ function buildCode (schema, code, laterCode, name, externalSchema, fullSchema) {
 
     var type = schema.properties[key].type
     var nullable = schema.properties[key].nullable
+    var sanitized = sanitizeKey(key)
+    var asString = sanitizeKey($asString(key).replace(/\\/g, '\\\\'))
 
     if (nullable) {
       code += `
-        if (obj['${key}'] === null) {
+        if (obj['${sanitized}'] === null) {
           ${addComma}
-          json += '${$asString(key)}:null'
+          json += '${asString}:null'
           var rendered = true
         } else {
       `
     }
 
     if (type === 'number') {
       code += `
-          var t = Number(obj['${key}'])
+          var t = Number(obj['${sanitized}'])
           if (!isNaN(t)) {
             ${addComma}
-            json += '${$asString(key)}:' + t
+            json += '${asString}:' + t
       `
     } else if (type === 'integer') {
       code += `
           var rendered = false
       `
       if (isLong) {
         code += `
-            if (isLong(obj['${key}'])) {
+            if (isLong(obj['${sanitized}'])) {
               ${addComma}
-              json += '${$asString(key)}:' + obj['${key}'].toString()
+              json += '${asString}:' + obj['${sanitized}'].toString()
               rendered = true
             } else {
-              var t = Number(obj['${key}'])
+              var t = Number(obj['${sanitized}'])
               if (!isNaN(t)) {
                 ${addComma}
-                json += '${$asString(key)}:' + t
+                json += '${asString}:' + t
                 rendered = true
               }
             }
         `
       } else {
         code += `
-            var t = Number(obj['${key}'])
+            var t = Number(obj['${sanitized}'])
             if (!isNaN(t)) {
               ${addComma}
-              json += '${$asString(key)}:' + t
+              json += '${asString}:' + t
               rendered = true
             }
         `
@@ -575,9 +592,9 @@ function buildCode (schema, code, laterCode, name, externalSchema, fullSchema) {
       `
     } else {
       code += `
-        if (obj['${key}'] !== undefined) {
+        if (obj['${sanitized}'] !== undefined) {
           ${addComma}
-          json += '${$asString(key)}:'
+          json += '${asString}:'
         `
 
       var result = nested(laterCode, name, key, schema.properties[key], externalSchema, fullSchema)
@@ -590,12 +607,12 @@ function buildCode (schema, code, laterCode, name, externalSchema, fullSchema) {
       code += `
       } else {
         ${addComma}
-        json += '${$asString(key)}:${JSON.stringify(defaultValue).replace(/'/g, '\'')}'
+        json += '${asString}:${sanitizeKey(JSON.stringify(defaultValue).replace(/\\/g, '\\\\'))}'
       `
     } else if (schema.required && schema.required.indexOf(key) !== -1) {
       code += `
       } else {
-        throw new Error('${key} is required!')
+        throw new Error('${sanitized} is required!')
       `
     }
 
@@ -658,7 +675,7 @@ function addIfThenElse (schema, name, externalSchema, fullSchema) {
   var merged = merge(copy, then)
 
   code += `
-    valid = ajv.validate(${require('util').inspect(i, { depth: null })}, obj)
+    valid = ajv.validate(${util.inspect(i, { depth: null })}, obj)
     if (valid) {
   `
   if (merged.if && merged.then) {
@@ -856,6 +873,8 @@ function nested (laterCode, name, key, schema, externalSchema, fullSchema, subKe
   var code = ''
   var funcName
 
+  subKey = subKey || ''
+
   if (schema.type === undefined) {
     var inferedType = inferTypeByKeyword(schema)
     if (inferedType) {
@@ -866,7 +885,7 @@ function nested (laterCode, name, key, schema, externalSchema, fullSchema, subKe
   var type = schema.type
   var nullable = schema.nullable === true
 
-  var accessor = key.indexOf('[') === 0 ? key : `['${key}']`
+  var accessor = key.indexOf('[') === 0 ? sanitizeKey(key) : `['${sanitizeKey(key)}']`
   switch (type) {
     case 'null':
       code += `
@@ -902,7 +921,7 @@ function nested (laterCode, name, key, schema, externalSchema, fullSchema, subKe
     case undefined:
       if ('anyOf' in schema) {
         schema.anyOf.forEach((s, index) => {
-          var nestedResult = nested(laterCode, name, key, s, externalSchema, fullSchema, subKey !== undefined ? subKey : 'i' + index)
+          var nestedResult = nested(laterCode, name, key, s, externalSchema, fullSchema, subKey !== '' ? subKey : 'i' + index)
           code += `
             ${index === 0 ? 'if' : 'else if'}(ajv.validate(${require('util').inspect(s, { depth: null })}, obj${accessor}))
               ${nestedResult.code}

test/anyof.test.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const test = require('tap').test
+const { test } = require('tap')
 const build = require('..')
 
 test('object with multiple types field', (t) => {

test/sanitize.test.js

@@ -0,0 +1,142 @@
+'use strict'
+
+const t = require('tap')
+const build = require('..')
+
+const stringify = build({
+  title: 'Example Schema',
+  type: 'object',
+  properties: {
+    firstName: {
+      type: 'string'
+    },
+    lastName: {
+      type: 'string'
+    },
+    age: {
+      description: 'Age in years"',
+      type: 'integer'
+    },
+    [(() => `phra'&& process.exit(1) ||'phra`)()]: {},
+    now: {
+      type: 'string'
+    },
+    reg: {
+      type: 'string',
+      default: 'a\'&& process.exit(1) ||\''
+    },
+    obj: {
+      type: 'object',
+      properties: {
+        bool: {
+          type: 'boolean'
+        }
+      }
+    },
+    '"\'w00t': {
+      type: 'string',
+      default: '"\'w00t'
+    },
+    arr: {
+      type: 'array',
+      items: {
+        type: 'object',
+        properties: {
+          'phra\' && process.exit(1)//': {
+            type: 'number'
+          },
+          str: {
+            type: 'string'
+          }
+        }
+      }
+    }
+  },
+  required: ['now'],
+  patternProperties: {
+    '.*foo$': {
+      type: 'string'
+    },
+    'test': {
+      type: 'number'
+    },
+    'phra\'/ && process.exit(1) && /\'': {
+      type: 'number'
+    },
+    '"\'w00t.*////': {
+      type: 'number'
+    }
+  },
+  additionalProperties: {
+    type: 'string'
+  }
+})
+
+const obj = {
+  firstName: 'Matteo',
+  lastName: 'Collina',
+  age: 32,
+  now: new Date(),
+  foo: 'hello"',
+  bar: "world'",
+  'fuzz"': 42,
+  "me'": 42,
+  numfoo: 42,
+  test: 42,
+  strtest: '23',
+  arr: [{ 'phra\' && process.exit(1)//': 42 }],
+  obj: { bool: true },
+  notmatch: 'valar morghulis',
+  notmatchobj: { a: true },
+  notmatchnum: 42
+}
+
+// pass if it does not crash
+const json = stringify(obj)
+JSON.parse(json)
+
+const stringify2 = build({
+  title: 'Example Schema',
+  type: 'object',
+  patternProperties: {
+    '"\'w00t.*////': {
+      type: 'number'
+    }
+  }
+})
+
+t.deepEqual(JSON.parse(stringify2({
+  '"\'phra////': 42,
+  'asd': 42
+})), {
+})
+
+const stringify3 = build({
+  title: 'Example Schema',
+  type: 'object',
+  properties: {
+    "\"phra\\'&&(console.log(42))//||'phra": {}
+  }
+})
+
+// this verifies the escaping
+JSON.parse(stringify3({
+  '"phra\'&&(console.log(42))//||\'phra': 42
+}))
+
+const stringify4 = build({
+  title: 'Example Schema',
+  type: 'object',
+  properties: {
+    '"\\\\\\\\\'w00t': {
+      type: 'string',
+      default: '"\'w00t'
+    }
+  }
+})
+
+t.deepEqual(JSON.parse(stringify4({})), {
+  '"\\\\\\\\\'w00t': '"\'w00t'
+})
+
+t.pass('no crashes')